Privacy & Security

November 20, 2014

5 ways health data breaches are far worse than financial ones

Tom Garrubba, Senior director, Santa Fe Group and Shared Assessments Program | November 10, 2014

Remember that song Janis Joplin made famous “Piece of My Heart?” I do, and it reminds me of the fundamental difference between financial and healthcare data breaches.

The breach of personal financial information causes stress — recovering missing funds, paying late fees or interest, worrying about credit worthiness. Ultimately, however, a person’s financial identity can be fully restored.

Not so with medical identity. Healthcare data breaches have a much more personal, longer lasting, and potentially deadly impact.

Victims are at the mercy of those who, through fair means or foul, have control of their protected health information (PHI). And several factors contribute to the costlier, deadlier effects of healthcare data breaches over financial ones.

1. High volume of healthcare data breaches.
2013 statistics from the Identity Theft Resource Center were reported in a recent article: 44 percent of all breaches were healthcare related, while financial service breaches were just 3.7 percent (the first time that healthcare industry breaches exceeded all others). Healthcare is again on track to lead in 2014, also according to the Identity Theft Resource Center—a dubious distinction, to be sure.

2. The difficulty in restoring medical identities. Victims of healthcare data breaches have fewer resources to help them.

3. Ignorance of the deadly consequences. Individuals don’t realize the devastating impact associated with a breach of their health records. What was presumed private—physical, mental, and prescriptive health history — could be made public and used inappropriately. This data could appear anywhere at anytime, online, in the form of cyberbullying or worse, blackmail.

Read full article

U.S. Postal Service Confirms Data Breach

November 11, 2014

Employee, Customer Information Potentially Compromised

By , November 10, 2014.

U.S. Postal Service Confirms Data Breach

The Federal Bureau of Investigation is leading an investigation into a data breach at the U.S. Postal Service, which affected employees and customers.

In a Nov. 10 statement, which provides few details, USPS says it recently learned of a “cybersecurity intrusion” into some of its information systems. All operations are now functioning normally, according to the statement.

More than 800,000 employees were impacted in the breach, says David Partenheimer, spokesperson for the USPS. Employee information potentially compromised includes names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information.

Customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1 and Aug. 16 were also potentially affected, although USPS is still investigating the exact number of individuals impacted, Partenheimer says. Potentially compromised customer details include names, addresses, telephone numbers and e-mail addresses.

CNN, citing a U.S. official familiar with the breach, says 2.9 million postal service customers were affected by the breach.

Transactional systems in post offices, as well as on, where customers pay for services with credit and debit cards, have not been affected by the breach, USPS says. There is also no evidence that any customer credit card information from retail or online purchases, such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised, officials say.

China Involved?

Some news reports are indicating China may be behind the attacks, but Partenheimer says he cannot confirm that because “the source of the intrusion is under investigation.”

But security consultant Richard Stiennon, author of Surviving Cyberwar, doesn’t suspect China is behind the USPS breach. “They are still in the espionage and reconnaissance phase of their cyber-evolution,” he says. “On the other hand … one has to question the timing of the notification considering that President [Obama] arrived in China today.”

Karl Rauscher, ambassador-at-large and chief architect for cyberspace policy at the Institute of Electrical and Electronics Engineers, says that cyber-attacks, like the one that targeted USPS, are becoming more sophisticated, “and even those best capable of reacting to them are overwhelmed. Cyber security today is typically practiced in a reactive posture to an ever growing number of threats.”

No Evidence of Fraud

The USPS says it’s not aware of any evidence that any of the potentially compromised customer or employee information has been used to engage in malicious activity.

Read more…

November 7, 2014

Can healthcare consumers now enforce HIPAA privacy rules? Leveraging our judicial system, the answer may be yes. A recent state Supreme Court ruling gives patients the right to sue healthcare providers for negligence if they violate a “standard of care” when managing protected health information.

Court Allows HIPAA Negligence Claim

Experts Analyze Potential Impact of Decision

By , November 7, 2014.

Legal experts are analyzing the potential national impact of a Connecticut Supreme Court ruling that plaintiffs can sue for negligence if a healthcare provider violates HIPAA regulations for protecting patient privacy.

Read more….